diff options
-rw-r--r-- | Changelog | 2 | ||||
-rw-r--r-- | config/lacme-certs.conf | 4 | ||||
-rwxr-xr-x | lacme | 8 | ||||
-rw-r--r-- | lacme.8.md | 4 | ||||
-rw-r--r-- | tests/cert-install | 20 |
5 files changed, 22 insertions, 16 deletions
@@ -7,6 +7,8 @@ lacme (0.8.1) upstream; umask restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge files. + + lacme: add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. + 'chmod'. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf index 5259690..4af5652 100644 --- a/config/lacme-certs.conf +++ b/config/lacme-certs.conf @@ -52,11 +52,11 @@ # username[:groupname] to chown the issued certificate and # certificate-chain with. # -#chown = root:root +#owner = root:root # Octal mode to chmod the issued certificate and certificate-chain with. # -#chmod = 0644 +#mode = 0644 # Command to pass the the system's command shell ("/bin/sh -c") after # successful installation of the certificate and/or certificate-chain. @@ -761,7 +761,8 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { my $def = delete $h->{_} // {}; $defaults{$_} = $def->{$_} foreach keys %$def; my @valid = qw/certificate certificate-chain certificate-key min-days CAfile - hash keyUsage subject subjectAltName tlsfeature chown chmod notify/; + hash keyUsage subject subjectAltName tlsfeature + owner chown mode chmod notify/; foreach my $s (keys %$h) { $conf->{$s} = { map { $_ => delete $h->{$s}->{$_} } @valid }; die "Unknown option(s) in [$s]: ".join(', ', keys %{$h->{$s}})."\n" if %{$h->{$s}}; @@ -855,7 +856,10 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { } } - my %install = ( content => $x509, mode => $conf->{chmod} // "", owner => $conf->{chown} // "" ); + my %install = ( content => $x509, + mode => $conf->{mode} // $conf->{chmod} // "", + owner => $conf->{owner} // $conf->{chown} // "" + ); # install certificate if ((my $path = $conf->{'certificate'} // "") ne "") { @@ -421,12 +421,12 @@ Valid settings are: See [`x509v3_config`(5ssl)] for a list of possible values. Note that the ACME server might override the value provided here. -*chown* +*owner*, *chown* : An optional `username[:groupname]` to chown the issued *certificate* and *certificate-chain* to. -*chmod* +*mode*, *chmod* : An optional octal mode to chmod the issued *certificate* and *certificate-chain* to. By default the files are created with mode diff --git a/tests/cert-install b/tests/cert-install index c49a294..4b3e820 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -103,14 +103,14 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test3.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test3.crt)" [ "$st" = "root:root 0644" ] -# chown user +# owner user openssl genpkey -algorithm RSA -out /etc/lacme/test4.key cat >"/etc/lacme/lacme-certs.conf.d/test4.conf" <<- EOF [test4] certificate-key = /etc/lacme/test4.key certificate = /etc/lacme/test4.pem certificate-chain = /etc/lacme/test4.crt - chown = nonexistent-user + owner = nonexistent-user subject = $subject EOF @@ -119,21 +119,21 @@ grepstderr -Fxq "getpwnam(nonexistent-user)" ! test -e /etc/lacme/test4.pem ! test -e /etc/lacme/test4.crt -sed -ri "s/^chown\\s*=.*/chown = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf +sed -ri "s/^owner\\s*=.*/owner = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf lacme newOrder test4 2>"$STDERR" || fail newOrder test4 st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)" [ "$st" = "nobody:root 0644" ] st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)" [ "$st" = "nobody:root 0644" ] -# chown user:group +# owner user:group openssl genpkey -algorithm RSA -out /etc/lacme/test5.key cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF [test5] certificate-key = /etc/lacme/test5.key certificate = /etc/lacme/test5.pem certificate-chain = /etc/lacme/test5.crt - chown = nobody:nonexistent-group + owner = nobody:nonexistent-group subject = $subject EOF @@ -142,7 +142,7 @@ grepstderr -Fxq "getgrnam(nonexistent-group)" ! test -e /etc/lacme/test5.pem ! test -e /etc/lacme/test5.crt -sed -ri "s/^chown\\s*=.*/chown = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf +sed -ri "s/^owner\\s*=.*/owner = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf lacme newOrder test5 2>"$STDERR" || fail newOrder test5 st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" [ "$st" = "nobody:nogroup 0644" ] @@ -156,8 +156,8 @@ cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF certificate-key = /etc/lacme/test6.key certificate-chain = /etc/lacme/test6.crt certificate = - chmod = - chown = + mode = + owner = subject = $subject EOF @@ -166,14 +166,14 @@ EOF st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)" [ "$st" = "root:root 0600" ] -# chmod +# mode openssl genpkey -algorithm RSA -out /etc/lacme/test7.key cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF [test7] certificate-key = /etc/lacme/test7.key certificate = /etc/lacme/test7.pem certificate-chain = /etc/lacme/test7.crt - chmod = 0400 + mode = 0400 subject = $subject EOF |